Fraudulent Apps are Efficient for Attackers
Malware authors have two options to get a user to install a malicious app: invest the time that it takes to build some new and useful functionality or impersonate an app with a brand and leverage its implied usefulness and the trust of the brand’s following. Any popular brand with a community is a good target, such as WhatsApp, MyEtherWallet, FlappyBirds – if you remember that one – and, oddly, flashlight apps.
In fact, a fraudulent app that uses someone else’s valuable brand, is one of the lowest effort methods to attack or take advantage of users via popular stores such as Google Play.
Activity with the MyEtherWallet app is a recent example of this tactic. On March 4th, @myetherwallet tweeted @GooglePlay that there appeared to be another fraudulent app claiming to be MyEtherWallet. Shortly after, the app at https://play.google.com/store/apps/details?id=com.ether.etherwallet was taken down by Google.
We were able to identify these fake apps with no heuristics. We just had to ask what was similar.
Many of our customers worry about just this situation – fake versions of their apps being created and taking advantage of their brand’s popularity and credibility to dupe users into downloading them. One way we’re ferreting out the fake apps is by combining human and machine learning.
Using Machine Learning to Find Fraudulent Apps
Appthority’s analysis engine clusters similar apps together for the purpose of finding fraudulent apps, or any apps that entice users with a known app brand but that are used for malicious purposes. We’re answering the questions, which apps are legitimate, and which are fraudulent? To do that, we’re using a combination of machine learning, extensive preprocessing of data, and a scalable platform to measure the risk of fake apps. Here, we got creative and began looking for apps which are similar, versus relying on the more traditional security analysis that use signatures and heuristics to look for specific information and compare app names and developers. Looking for similarity enables the automatic discovery of variations in fraudulent apps and the metadata describing the apps.
Using Machine Learning in our cryptowallet analysis, we found several more fake MyEtherWallet apps, two of which were still live in Google Play
In our cryptowallet analysis, we found several more fake MyEtherWallet apps, two of which were still live in Google Play with package names com.crypwallet and com.mewmyeth. In this case, both apps had the same name, MyEtherWallet. In many fraudulent app cases this is not the case and different titles do not negatively affect our ability to discover fraudulent those apps. This does however show that users can not rely on an app with a popular brand name being from the brand company.
As our Mobile Threat Team locates these fraudulent apps, we inform our customers and provide protection not just for those organizations but for everyone in the ecosystem by working with stores to take down the apps. Finding these apps requires knowledge of every app in the store, not just the apps in a customer’s user base, so that we can identify and measure risk before an app is even installed.
App store security is reasonably good at catching known malware and quickly taking down apps as new malware appears. But, for enterprises, it’s important to reduce the threats from mobile beyond what app stores are looking for. In this case, using creative methods to find and remove apps that play off of and tarnish a brand’s reputation is just good business.